使用 Azure PowerShell 创建策略分配以识别不符合的资源Create a policy assignment to identify non-compliant resources using Azure PowerShell

若要了解 Azure 中的符合性,第一步是确定资源的状态。The first step in understanding compliance in Azure is to identify the status of your resources. 在本快速入门中,我们将创建策略分配,以识别未使用托管磁盘的虚拟机。In this quickstart, you create a policy assignment to identify virtual machines that aren't using managed disks. 完成后,我们便可以识别不合规的虚拟机。When complete, you'll identify virtual machines that are non-compliant.

Azure PowerShell 模块用于从命令行或脚本管理 Azure 资源。The Azure PowerShell module is used to manage Azure resources from the command line or in scripts. 本指南介绍如何使用 Az 模块来创建策略分配。This guide explains how to use Az module to create a policy assignment.

如果没有 Azure 订阅,请在开始前创建一个试用帐户If you don't have an Azure subscription, create a trial account account before you begin.

Note

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

先决条件Prerequisites

  • 在开始之前,请确保安装 Azure PowerShell 的最新版本。Before you start, make sure that the latest version of Azure PowerShell is installed. 有关详细信息,请参阅安装 Azure PowerShell 模块See Install Azure PowerShell module for detailed information.

  • 使用 Azure PowerShell 注册 Policy Insights 资源提供程序。Register the Policy Insights resource provider using Azure PowerShell. 注册此资源提供程序可确保订阅能够使用它。Registering the resource provider makes sure that your subscription works with it. 要注册资源提供程序,必须具有注册资源提供程序操作的权限。To register a resource provider, you must have permission to the register resource provider operation. 此操作包含在“参与者”和“所有者”角色中。This operation is included in the Contributor and Owner roles. 运行以下命令,注册资源提供程序:Run the following command to register the resource provider:

    # Register the resource provider if it's not already registered
    Register-AzResourceProvider -ProviderNamespace 'Microsoft.PolicyInsights'
    

    有关注册和查看资源提供程序的详细信息,请参阅资源提供程序和类型For more information about registering and viewing resource providers, see Resource Providers and Types

创建策略分配Create a policy assignment

本快速入门将为不带托管磁盘的审核 VM 定义创建策略分配。In this quickstart, you create a policy assignment for the Audit VMs without managed disks definition. 此策略定义可识别不使用托管磁盘的虚拟机。This policy definition identifies virtual machines not using managed disks.

运行以下命令创建新的策略分配:Run the following commands to create a new policy assignment:

# Get a reference to the resource group that will be the scope of the assignment
$rg = Get-AzResourceGroup -Name '<resourceGroupName>'

# Get a reference to the built-in policy definition that will be assigned
$definition = Get-AzPolicyDefinition | Where-Object { $_.Properties.DisplayName -eq 'Audit VMs that do not use managed disks' }

# Create the policy assignment with the built-in definition against your resource group
New-AzPolicyAssignment -Name 'audit-vm-manageddisks' -DisplayName 'Audit VMs without managed disks Assignment' -Scope $rg.ResourceId -PolicyDefinition $definition

上述命令使用以下信息:The preceding commands use the following information:

  • 名称 - 分配的实际名称。Name - The actual name of the assignment. 对于此示例,使用 audit-vm-manageddisksFor this example, audit-vm-manageddisks was used.
  • 显示名称 - 策略分配的显示名称。DisplayName - Display name for the policy assignment. 本例使用了“审核未使用托管磁盘分配的虚拟机”。In this case, you're using Audit VMs without managed disks Assignment.
  • 定义 - 策略定义,用作创建分配的依据。Definition – The policy definition, based on which you're using to create the assignment. 在本例中,它为策略定义“审核未使用托管磁盘的 VM”的 ID。In this case, it's the ID of policy definition Audit VMs that do not use managed disks.
  • 范围 - 范围确定在其中实施策略分配的资源或资源组。Scope - A scope determines what resources or grouping of resources the policy assignment gets enforced on. 它可以从订阅延伸至资源组。It could range from a subscription to resource groups. 请务必将 <scope> 替换为资源组的名称。Be sure to replace <scope> with the name of your resource group.

你现已准备好识别不合规的资源,了解环境的符合性状态。You’re now ready to identify non-compliant resources to understand the compliance state of your environment.

识别不合规的资源Identify non-compliant resources

使用以下信息来识别不符合所创建的策略分配的资源。Use the following information to identify resources that aren't compliant with the policy assignment you created. 运行以下命令:Run the following commands:

# Get the resources in your resource group that are non-compliant to the policy assignment
Get-AzPolicyState -ResourceGroupName $rg.ResourceGroupName -PolicyAssignmentName 'audit-vm-manageddisks' -Filter 'IsCompliant eq false'

有关获取策略状态的详细信息,请参阅 Get-AzPolicyStateFor more information about getting policy state, see Get-AzPolicyState.

结果应如以下示例所示:Your results resemble the following example:

Timestamp                   : 3/9/19 9:21:29 PM
ResourceId                  : /subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.Compute/virtualMachines/{vmId}
PolicyAssignmentId          : /subscriptions/{subscriptionId}/providers/microsoft.authorization/policyassignments/audit-vm-manageddisks
PolicyDefinitionId          : /providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d
IsCompliant                 : False
SubscriptionId              : {subscriptionId}
ResourceType                : /Microsoft.Compute/virtualMachines
ResourceTags                : tbd
PolicyAssignmentName        : audit-vm-manageddisks
PolicyAssignmentOwner       : tbd
PolicyAssignmentScope       : /subscriptions/{subscriptionId}
PolicyDefinitionName        : 06a78e20-9358-41c9-923c-fb736d382a4d
PolicyDefinitionAction      : audit
PolicyDefinitionCategory    : Compute
ManagementGroupIds          : {managementGroupId}

结果与 Azure 门户视图中策略分配的“资源符合性”选项卡中显示的内容相匹配。The results match what you see in the Resource compliance tab of a policy assignment in the Azure portal view.

清理资源Clean up resources

要删除创建的分配,请使用以下命令:To remove the assignment created, use the following command:

# Removes the policy assignment
Remove-AzPolicyAssignment -Name 'audit-vm-manageddisks' -Scope '/subscriptions/<subscriptionID>/resourceGroups/<resourceGroupName>'

后续步骤Next steps

本快速入门已分配一个策略定义用于识别 Azure 环境中的不合规资源。In this quickstart, you assigned a policy definition to identify non-compliant resources in your Azure environment.

要了解有关分配策略以验证新资源是否符合要求的详细信息,请继续以下教程:To learn more about assigning policies to validate that new resources are compliant, continue to the tutorial for: